CrypMIC Ransomware Emerges as CryptXXX Copycat

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

Dubbed CrypMIC, the contender was spotted a couple of weeks ago, when over the course of a week, Neutrino constantly switched the malicious payload between it and CryptXXX. What’s more, Trend Micro security researchers discovered that the new ransomware family mimics CryptXXX not only in terms of entry point, but also when it comes to the ransom note and payment site UI.

Other similarities between the two threats include the use of the same format for sub-versionID/botID (U[6digits] /UXXXXXX]) and the same export function name (MS1, MS2). Furthermore, researchers say that both ransomware families employ a custom protocol via TCP Port 443 to communicate with their command and control (C&C) servers.

However, the source code and capabilities of the two are different. CrypMIC doesn’t append an extension to the encrypted files, and uses a different compiler and obfuscation method. Moreover, unlike CryptXXX, CrypMIC has a routine to check for the presence of a virtual machine on the infected system, while also designed to send that information to its C&C.

The new piece of ransomware uses AES-256 encryption, targets 901 file types on the infected machines, and has no autostart or persistence mechanisms. The malware can run its encryption routine even in a virtualized environment and sends the information to the C&C. Moreover, it leverages vssadmin for shadow copies deletion.

According to Trend Micro, the same as CryptXXX, CrypMIC is particularly dangerous to enterprises because it can also encrypt files on removable and network drives, although it can target only network shares that have been already mapped to a drive. Both ransomware families demand the same ransom amount, namely 1.2 to 2.4 Bitcoins, researchers say.

However, the newcomer doesn’t download and execute an information-stealing module on its process memory, meaning that it isn’t able to harvest credentials and related information from the infected machine, something that CryptXXX has become famous for.

“Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly,” Trend Micro says.

Furthermore, the security researchers note that businesses and users who end up paying the ransom are susceptible to more ransomware attacks. The best way to protect against such threats is to keep systems updated, to have the latest security patches installed, use multilayered defenses, and constantly backup data, so that files can be easily restored even in case of an infection.